The CryptoJoker Ransomware is nothing to Laugh About

A new ransomware has been discovered called CryptoJoker that encrypts your data using AES-256 encryption and then demands a ransom in bitcoins to get your files back. This ransomware was discovered by a group of security researchers called MalwareHunterTeam whose mission is to discover new security threats and release information about them. CryptoJoker is not widely distributed at this time, but is a fully functional ransomware that could see greater distribution in the future.

The CryptoJoker installer is disguised as a PDF file, which means it is probably distributed via email phishing campaigns. Once the installer is executed it will download or generate numerous executables in the %Temp% folder and one in the %AppData% folder. Each of these files will perform various tasks such as sending information to the Command & Control server, polling for active Regedit or Taskmgr processes and terminating them, and making sure the lock screen is visible and located on top of other active Windows. Below is a snippet of code that is used to poll for and terminate the regedit and taskmgr processes.

Code snippet that terminates the Taskmgr and Regedit Processes

When CryptoJoker encrypts your data it will scan all drives, including mapped network drives, on the victim's computer for files with certain extensions. When it discovers a targeted extension it will encrypt the file and change the filename it so it has a .crjoker extension appended to it. For example, Dog.jpg would become Dog.jpg.crjoker. The list of extensions that CryptoJoker targets are:

While encrypting your data, CryptoJoker will also send information to the Command & Control server located at server6.thcservers.com. The information that is sent by CryptoJoker includes the date, your hostname, username, and machine name. The code used to send some of this info is shown below.

As part of the installation process, CryptoJoker will also create a batch file in the %Temp% folder called new.bat that executes various commands that remove Shadow Volume Copies and disable Windows automatic startup repair. It performs these commands to make it impossible to use the shadow volumes to recover your files. The commands that are executed via this batch file are:

Finally, the ransomware will display a small window that displays instructions in both English and Russian. These instructions state that the victim must email file987@sigaint.org, file9876@openmail.cc, or file987@tutanota.com for payment instructions. When sending the email you must also include an RSA encrypted string of text that is displayed in this window as well, which is read from %Temp%\README!!!.txt. The malware developer will then respond with the ransom amount and other instructions.

Ransom Note

This ransom note will stay on top of your open applications unless you terminate the %Temp%\WinDefrag.exe process.

At this time there is no known method to decrypt files encrypted by CryptoJoker for free. If it begins to be released with greater circulation, the executable will be examined more closely for possible methods of recovering a victim's files.

Lawrence Abrams is the creator and owner of BleepingComputer.com. Lawrence's area of expertise includes malware removal and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

I believe they meant that the ransom creates a key pair based on RSA 2048 bits which is used to encrypt the files using AES 256 - pretty much as EFS does, after complete the encryption, the private key is deleted from the system (and was previously backed up in the ransom servers...), you will pay to get your private key back so you can decrypt the files.

"I believe they meant that the ransom creates a key pair based on RSA 2048 bits which is used to encrypt the files using AES 256 - pretty much as EFS does, after complete the encryption, the private key is deleted from the system (and was previously backed up in the ransom servers...), you will pay to get your private key back so you can decrypt the files. "

If the encryption key was on the computer and then was automatically deleted by the script then theoretically we should be able to recover the key using a program such as Active@ File Recovery if we knew where it was saved and what it was called. I wonder if we can create a sandbox machine and monitor it for changes, infect it with the virus, dissect the change log to find the file that contains the encryption key, and then create a program with a script on a USB to use a file recovery tool to automatically recover the key for the user to enter into the ransom-ware after restarting the computer

""I believe they meant that the ransom creates a key pair based on RSA 2048 bits which is used to encrypt the files using AES 256 - pretty much as EFS does, after complete the encryption, the private key is deleted from the system (and was previously backed up in the ransom servers...), you will pay to get your private key back so you can decrypt the files. "

If the encryption key was on the computer and then was automatically deleted by the script then theoretically we should be able to recover the key using a program such as Active@ File Recovery if we knew where it was saved and what it was called. I wonder if we can create a sandbox machine and monitor it for changes, infect it with the virus, dissect the change log to find the file that contains the encryption key, and then create a program with a script on a USB to use a file recovery tool to automatically recover the key for the user to enter into the ransom-ware after restarting the computer"

If you are lucky enough to be offline at the time of infection then yes theoretically you do have chances to find the key somewhere. But probably you are online and the virus managed to send the key file to the attackers server without even storing it locally.

Hmm, if the monitor if you run regedit and taskmgr, then maybe you as a user need to monitor all programs that are started on the computer. Blocking, yes, but monitoring... definately.

Do anyone know about all run-places in registry? HKLM... run HKCU...Run Runeonce-places, Currentcontrolset runservices etc. Maybe the computer need to be locked down in all these places too. Maybe Windows can be setup to unly run signed programs and the user need to approve the signings? Anyway, again only "advanced" users can do these things, an ordinary user does not even know it exists, and that is why the ransomware creators "win" or at least continue developing these actualle quite good programs. Knowledge is power, so lets take the power back. The few I have helped so far, don't even dare using their computers anymore, and they don't know how they got infected in the first place. I have checked all mails they received in late 2015 and none were using fishing, there was two thoug about money. But I suspect the user got the infections through som ads on legitimate web-sites, and it is quite difficult fighting these threats for every user on the planet.

Any good ideas? Based on the last experience I disconnected my Networked backup-drive which before these ransomware programs where automatically backing up two of my computers wo I would unlikely lose any data. Now I have to connect manually and do the backup... This annoys me, becaus I thinkt the ransommakers "won" I dislike "loosing" a battle I have not started or opted in to...

This is probably a dumb question, but if I am logged on to my computer as a "user" rather than as an "administrator", will the Ransomware still be able to install and run itself? It's my understanding that only "administrators" can install software. If, as a "user" I try to install software on my computer, I always get a pop-up asking me for the administrator's password. Does the same restriction apply to ransomware?